#!/bin/posh
# shellcheck disable=1003,1091,2006,2016,2034,2039
# vim: set ts=2 sw=2 sts=2 fdm=marker fmr=#(,#) et:
#
# doc:
#
#  Copy this file to a new one with the same name of the cve to test, all in
# lowercase (i.e.: cve-2014–6271.sh).
#  Then add the code for the functions shown here. **ALL** functions must appear
# in the new created file, however the ones marked as 'optional' can be left
# with the same code than in 'skel.sh'. Inside the function, declare all the
# variables as 'local' (i.e.: local vuln_version="1.2.3")
#
#  NOTE: You can use here, functions and variables implemented in 'lse.sh':
#   * lse_get_pkg_version: Get package version supplying package name
#   * lse_is_version_bigger: Check if version in $1 is bigger than the $2
#   * $lse_arch: System architecture
#   * $lse_distro_codename: The linux distribution code name (ubuntu, debian,
#      opsuse, centos, redhat, fedora)
#   * $lse_linux: Kernel version
#   * Colors
#  XXX: Check the definitions in 'lse.sh' to better understand what they do and
#       how they work
#
################################################################################
## RULES:
##  * Do NOT cause any harm with the tests
##  * Try to be as accurate as possible, trying to detect patched versions from
##    distro package versions. Try to minimize false positives.
##  * The script must be POSIX compliant. Test it with 'posh' shell.
################################################################################


# lse_cve_level: 0 if leads to a privilege escalation; 1 for other CVEs
lse_cve_level=0

# lse_cve_id: CVE id in lowercase (i.e.: cve-2014–6271)
lse_cve_id="cve-2021-4034"

# lse_cve_description: Short. Not more than 52 characters long.
#__________________="vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"
lse_cve_description="Checking for PwnKit vulnerability"

# Code retrieved with 'declare -f' by the packaging bash script
lse_cve_test() { #(
  local vulnerable=false
  local pkexec
  local pkexec_version
  local distro_release
  local package_version
  local package_fixed
  pkexec=$(command -v pkexec)
  package_version=$(lse_get_pkg_version polkit)
  if [ -n "$pkexec" ] && stat -c'%A' "$pkexec" | grep -Eq -- '^-..s.+'; then
    vulnerable=true
    pkexec_version=$(pkexec --version | grep -Eo '[0-9\.]+')
    if lse_is_version_bigger "$pkexec_version" 0.120 ; then
      # Not Vulnerable
      exit 1
    fi
    case "$lse_distro_codename" in
      ubuntu|debian)
        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_CODENAME=' /etc/os-release | cut -f2 -d=)
        package_version=$(lse_get_pkg_version policykit-1)
        case "$distro_release" in
          bionic)
            package_fixed="0.105-20ubuntu0.18.04.6"
            ;;
          focal)
            package_fixed="0.105-26ubuntu1.2"
            ;;
          impish)
            package_fixed="0.105-31ubuntu0.1"
            ;;
          trusty)
            package_fixed="0.105-4ubuntu3.14.04.6+esm1"
            ;;
          xenial)
            package_fixed="0.105-14.1ubuntu0.5+esm1"
            ;;
          stretch)
            package_fixed="0.105-18+deb9u2"
            ;;
          buster)
            package_fixed="0.105-25+deb10u1"
            ;;
          bullseye)
            package_fixed="0.105-31+deb11u1"
            ;;
          *) # Future releases (bookworm+ and jammy+). This is because debian derivates use a polkit fork from version 0.105.
            package_fixed="0.105-33"
            ;;
        esac
        ;;
      redhat)
        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_ID=' /etc/os-release | cut -f2 -d=)
        case "$distro_release" in
          6.*)
            package_fixed="0.96-11.el6_10.2"
            ;;
          7.3)
            package_fixed="0.112-12.el7_3.1"
            ;;
          7.4)
            package_fixed="0.112-12.el7_4.2"
            ;;
          7.6)
            package_fixed="0.112-18.el7_6.3"
            ;;
          7.7)
            package_fixed="0.112-22.el7_7.2"
            ;;
          7.*)
            package_fixed="0.112-26.el7_9.1"
            ;;
          8.1)
            package_fixed="0.115-9.el8_1.2"
            ;;
          8.2)
            package_fixed="0.115-11.el8_2.2"
            ;;
          8.4)
            package_fixed="0.115-11.el8_4.2"
            ;;
          8.*)
            package_fixed="0.115-13.el8_5.1"
            ;;
          *)
            lse_is_version_bigger "$distro_release" 8 && exit 1
            ;;
        esac
        ;;
      rocky)
        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_ID=' /etc/os-release | cut -f2 -d=)
        case "$distro_release" in
          8.5)
            package_fixed="0.115-13.el8_5.1"
            ;;
        esac
        ;;
      opsuse)
        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_ID=' /etc/os-release | cut -f2 -d=)
        case "$distro_release" in
          15.3)
            package_fixed="0.116-3.6.1"
            ;;
        esac
        ;;
      fedora)
        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_ID=' /etc/os-release | cut -f2 -d=)
        case "$distro_release" in
          34)
            package_fixed="0.117-3.fc34.2"
            ;;
          35)
            package_fixed="0.120-1.fc35.1"
            ;;
          36)
            package_fixed="0.120-3.fc36"
            ;;
          *)
            [ $((distro_release)) -gt 36 ] && exit 1
            ;;
        esac
        ;;
    esac
    if [ -n "$package_fixed" ] && [ -n "$package_version" ] && ! lse_is_version_bigger "$package_fixed" "$package_version"; then
      # Not Vulnerable
      exit 1
    fi
  fi
  $vulnerable && echo "Vulnerable! polkit version: ${package_version:-$pkexec_version}"
} #)

# Uncomment this line for testing the lse_cve_test function
#lse_NO_EXEC=true . ../lse.sh ; lse_cve_test
